-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
most minimal host #45
Comments
Documented here: https://tiiuae.github.io/ghaf/architecture/adr/minimal-host.html |
As it would be inconvenient to do all those experiments in the ghaf repository, I have yet to create a draft pull request. All of my experiments (which were committed) are located here and here. ExperimentsGhaf minimalThe first repository consists of several branches, each of which represents some experiment: gistImplements this gist in nix. gist-glibcRefines branch above with the use of glibc instead of musl. gist-systemdUses systemd for initialization instead of a hand-written script. nixos-toplevelKeeps the essential packages for NixOS. Removes almost everything, and the remaining system builds but not working. It shows how everything indirectly depends upon top-level derivation. Dependencies could be tracked buy only through source code. But when I looked into it, I saw that many stuff are hard-coded. For example, there's no easy way to replace coreutils and util-linux with busybox because nixpkgs depend on it heavily. Also, Perl used all over NixOS for different scripts: install grub, activation scripts, and switch to configuration. Ghaf notHere I tried to fork not-os to essentially reimplement low-level components of NixOS and then plug high-level modules in. Next stepsWe have the following requirements: easy-maintainable, small TCB in the resulting image. The problem is that it is currently impossible for both of them. The maximum that we can have right now without forking NixOS or reimplementing low-level components is to modify the systemd package. If we choose to maintain our code base, then the most sensible steps will be the following:
We'll have the smallest possible TCB, but we'll need to support our code base, which may break over time. The other way is to keep things simple and stay with the current NixOS code base with minor modifications for the image build scripts to eliminate Nix on the host. The last approach seems more sensible in the long term because we can patch things gradually, as CVE's will be found for some of the packages we'll use. There are currently two ways to patch packages. Either with |
Originally posted by @brianmcgillion in #41 (review)
The text was updated successfully, but these errors were encountered: